What’s Wrong With SMS Authentication? Two IBM Experts Weigh In on the NIST Recommendation
In May 2016, the National Institute of Standards and Technology (NIST) published a guideline recommending the depreciation of SMS authentication as a second factor for strong authentication.
Many news outlets and security blogs have discussed the issue since then, expressing vastly different takes on the matter. I decided to ask two IBM authentication experts, Dustin Hoff and Ashish Malhotra, for their recommendations.
IBM Experts Weigh In on SMS Authentication
Question: Let’s level set on the basics — what is an SMS one-time password (OTP)?
Malhotra: In SMS-based two-factor authentication (2FA), a user must confirm the intended login or transaction by entering an OTP sent to their mobile phone — typically, a four- to eight-digit numerical code. This authentication method was once believed to protect against man-in-the-middle (MitM) attacks until security professionals realized that text messages can be intercepted by fraudsters just as easily.
How can a SMS OTP be compromised?
Malhotra: If a mobile phone is compromised because its user unwittingly downloaded malware onto it, a fraudster can simply command the malware to monitor text messages, including those containing OTPs, on that phone. Many phones are susceptible to Trojans like Zeus, Zitmo, Citadel and Perkele, which leverage open access to SMS on mobile phones specifically to intercept OTPs.
Many of these Trojans are targeting SMS OTPs, mobile SIM swaps, SIM clones, number porting attacks, fake caller ID and call forwarding scams operated by dishonest customer service representatives at mobile carriers. All of these exploit insecure SMS networks and erode misplaced trust in the channel.
What about for users whose phones haven’t been corrupted by malware? Is SMS OTP safe then?
Malhotra: The security of SMS authentication relies on the security of cellular networks, and with the attacks against Global System for Mobile Communications (GSM) and 3G networks, the confidentiality of text messages cannot be assured. Since encryption is not applied to short message transmission by default, messages could be intercepted and snooped during transmission, even if the receiving device wasn’t infected by malware.
In addition, SMS messages are stored as plaintext by the short message service center (SMSC) before they are successfully delivered to the intended recipient. These messages could be viewed or amended by users in the SMSC who have access to the messaging system. Spying programs such as FlexiSpy enable intruders to automatically record all incoming and outgoing SMS messages and then upload the logs to a remote server for later viewing and analysis.
How are companies reacting to these threats?
Hoff: Despite these security issues, using SMS OTP as a second factor is still better than simply relying on the username/password combo. For this reason, most companies haven’t urgently migrated to other authentication methods.
However, I would expect this migration to take place over time. As smart devices become more and more ubiquitous, myriad new authentication methods will become available. From push-to-approve to biometrics, such as fingerprint scans, retina scans or even voice recognition, safer and more convenient choices will make it easy to do away with SMS OTP.
Malhotra: If we look at companies worldwide, we see that different geographies are at different stages of the authentication journey. South Africa was one of the first markets to move wholesale to SMS OTPs. Today, a large majority of banks there have dropped them in favor of safer, more convenient out-of-band authentication solutions centered on the mobile phone. European banks are fast dropping the technology, too. The technology is still very prevalent in North America, though we see that changing little by little.
Many banks, apps and other consumer-facing services use SMS OTP as a second factor. What’s a private consumer to do?
Hoff: As an end user of secure online services, you can immediately take a few steps to help protect yourself.
To start, you should ensure that you follow strong password guidelines and enable two-factor authentication on all services that support it, including Google, Apple and many others. While this sounds easy, you would be surprised to find how many people don’t take this seemingly simple step.
Next, check to see if your service provider offers alternatives to SMS authentication that you can start using today. For example, many services use a solution like the Google Authenticator that relies on open standards for secure OTPs. Other providers, such as Apple, have more recently started offering OTPs via push notification in order to bypass SMS delivery. There are also multiple vendors that sell relatively low-cost, standards-based, bring-your-own-authenticator hardware tokens, which can provide extra security for a variety of online services.
Finally, regardless of your chosen multifactor authentication method, ensure that you follow good mobile security practices.
What about enterprise use cases? What’s the right authentication strategy for employees, partners, contractors or even customers?
Hoff: As service providers and enterprises, you must also consider the NIST recommendations as part of your larger IAM and online security strategy. Changes may have a large impact to your users and could require additional investment, so it is important to take a thoughtful approach.
To start, remember that SMS-based two-factor authentication is still better than traditional usernames/passwords. Billions of SMS messages are exchanged each day, and while only a fraction of these are OTPs, the system is not going away overnight.
Looking ahead, it’s a good idea to understand the risk associated with different segments of your user population. For example, high-volume users on an online marketplace might be more valuable to your service and therefore pose a greater risk to your business if they are compromised. Once you understand the risk levels associated with different user segments, you can prioritize the implementation of newer, more secure authentication mechanisms.
The third step is to investigate innovations and new technologies for authentication and web access management solutions. While there is no silver bullet, vendors continue to add new functionality in this space to help enterprises and end users alike secure their online activity.
To learn more, watch the on-demand webinar, “Five Steps to Overcome Customer Authentication Chaos.”